27
Scoped API Access
Mark Wylde
When creating an API token, allow fine grained scoped control.
An example use case is, when using LetsEncrypt to generate your certificates, you can perform a DNS challenge to authenticate control of the domain. This adds a TXT record to your domain, confirming you have access to that domain.
You currently need to give your "god-mode" API token to do this using DigitalOcean.
With scoped access, you could create an API token with "dns:modify" and that's all that API token would be allowed to do.
This would reduce the attack surface if the API token gets leaked from your droplet.
Activity
Newest
Oldest
t
thomsley
Similar use case, I'm running
external-dns
on DOKS cluster, and it could totally spin up a bunch of droplets if it wanted to. Being able to scope to DO API endpoints+verbs would get us a huge step closer to least privilege accessB
Bruno ViVA
+1
That and also maybe adding an IP/resource restriction for where the token can be used from.
Bo Riis Toelberg Kristensen
Excellent idea +1 from me
K
Kas
+1
Finer grained scopes will help a variety of automation workflows locally as well on remotely on third party services (like GitHub actions).
It will also provide some peace of mind that an incorrectly configured script or typo won't accidentally wipe your entire infrastructure!